Mitigating Statistical Bias within Differentially Private Synthetic Data
Increasing interest in privacy-preserving machine learning has led to new and evolved approaches for generating private synthetic data from undisclosed real data. However, mechanisms of privacy preservation can significantly reduce the utility of synthetic data, which in turn impacts downstream tasks such as learning predictive models or inference. We propose several re-weighting strategies using privatised likelihood ratios that not only mitigate statistical bias of downstream estimators but also have general applicability to differentially private generative models. Through large-scale empirical evaluation, we show that private importance weighting provides simple and effective privacy-compliant augmentation for general applications of synthetic data.
Updated: 2022-05-19 20:27:16
标题: 减轻差分隐私合成数据中的统计偏差
摘要: 随着隐私保护机器学习的兴趣日益增加,人们提出了新的方法来从未公开的真实数据生成私有合成数据。然而,隐私保护机制可能会显著降低合成数据的效用,进而影响下游任务,如学习预测模型或推断。我们提出了几种使用私有化似然比重新加权策略,不仅可以减轻下游估计器的统计偏差,而且具有对不同差分隐私生成模型的普遍适用性。通过大规模的实证评估,我们展示了私有重要性加权为合成数据的一般应用提供了简单有效的隐私合规增强。
更新时间: 2022-05-19 20:27:16
领域: stat.ML,cs.CR,cs.LG
Dissemination Control in Dynamic Data Clustering For Dense IIoT Against False Data Injection Attack
The IoT has made possible the development of increasingly driven services, like industrial IIoT services, that often deal with massive amounts of data. Meantime, as IIoT networks grow, the threats are even greater, and false data injection attacks (FDI) stand out as being one of the most aggressive. The majority of current solutions to handle this attack do not take into account the data validation, especially on the data clustering service. Aiming to advance on the issue, this work introduces CONFINIT, an intrusion detection system for mitigating FDI attacks on the data dissemination service performing in dense IIoT networks. CONFINIT combines watchdog surveillance and collaborative consensus strategies for assertively excluding various FDI attacks. The simulations showed that CONFINIT compared to DDFC increased by up to 35% - 40% the number of clusters without attackers in a gas pressure IIoT environment. CONFINIT achieved attack detection rates of 99%, accuracy of 90 and F1 score of 0.81 in multiple IIoT scenarios, with only up to 3.2% and 3.6% of false negatives and positives rates, respectively. Moreover, under two variants of FDI attacks, called Churn and Sensitive attacks, CONFINIT achieved detection rates of 100%, accuracy of 99 and F1 of 0.93 with less than 2% of false positives and negatives rates.
Updated: 2022-05-19 17:39:44
标题: 动态数据聚类中针对密集IIoT的误报数据注入攻击的传播控制
摘要: 物联网(IoT)使得越来越多基于数据驱动的服务得以发展,比如工业IIoT服务,通常涉及大量数据。与此同时,随着IIoT网络的扩大,威胁变得更加严重,虚假数据注入攻击(FDI)凸显出最具侵略性。目前大多数应对此类攻击的解决方案并未考虑数据验证,特别是在数据聚类服务方面。为了解决这一问题,本研究介绍了CONFINIT,一种用于在密集IIoT网络中减轻数据传播服务中FDI攻击的入侵检测系统。CONFINIT结合了看门狗监视和协作一致策略,以果断地排除各种FDI攻击。模拟结果显示,与DDFC相比,CONFINIT在气体压力IIoT环境中将没有攻击者的集群数量增加了35% - 40%。CONFINIT在多个IIoT场景中实现了99%的攻击检测率,90%的准确率和0.81的F1分数,仅有3.2%和3.6%的误报和漏报率。此外,在被称为Churn和Sensitive攻击的两个FDI攻击变种下,CONFINIT实现了100%的检测率,99%的准确率和0.93的F1分数,假阳性和假阴性率均低于2%。
更新时间: 2022-05-19 17:39:44
领域: cs.CR,cs.NI
Take a Bite of the Reality Sandwich: Revisiting the Security of Progressive Message Authentication Codes
Message authentication guarantees the integrity of messages exchanged over untrusted channels. However, to achieve this goal, message authentication considerably expands packet sizes, which is especially problematic in constrained wireless environments. To address this issue, progressive message authentication provides initially reduced integrity protection that is often sufficient to process messages upon reception. This reduced security is then successively improved with subsequent messages to uphold the strong guarantees of traditional integrity protection. However, contrary to previous claims, we show in this paper that existing progressive message authentication schemes are highly susceptible to packet loss induced by poor channel conditions or jamming attacks. Thus, we consider it imperative to rethink how authentication tags depend on the successful reception of surrounding packets. To this end, we propose R2-D2, which uses randomized dependencies with parameterized security guarantees to increase the resilience of progressive authentication against packet loss. To deploy our approach to resource-constrained devices, we introduce SP-MAC, which implements R2-D2 using efficient XOR operations. Our evaluation shows that SP-MAC is resilient to sophisticated network-level attacks and operates as resources-conscious and fast as existing, yet insecure, progressive message authentication schemes.
Updated: 2022-05-19 16:13:41
标题: 品尝现实三明治:重新审视渐进式消息认证码的安全性
摘要: 消息认证可以保证在不可信信道上交换的消息的完整性。然而,为了实现这一目标,消息认证会大大增加数据包的大小,在受限的无线环境中尤为棘手。为解决这一问题,渐进式消息认证提供最初降低的完整性保护,通常足以在接收消息时处理。随后,通过后续消息逐步改进该降低的安全性,以维护传统完整性保护的强大保证。然而,与之前的说法相反,我们在本文中显示现有的渐进式消息认证方案极易受到由于信道条件不佳或干扰攻击引起的数据包丢失的影响。因此,我们认为有必要重新考虑认证标签如何依赖于周围数据包的成功接收。为此,我们提出了R2-D2,它使用具有参数化安全保证的随机依赖性,以增加对数据包丢失的渐进认证的弹性。为将我们的方法部署到资源受限的设备上,我们引入了SP-MAC,它使用高效的异或运算实现了R2-D2。我们的评估表明,SP-MAC对复杂的网络级攻击具有弹性,运行速度与现有的但不安全的渐进式消息认证方案一样资源节约和快速。
更新时间: 2022-05-19 16:13:41
领域: cs.CR
BP-MAC: Fast Authentication for Short Messages
Resource-constrained devices increasingly rely on wireless communication for the reliable and low-latency transmission of short messages. However, especially the implementation of adequate integrity protection of time-critical messages places a significant burden on these devices. We address this issue by proposing BP-MAC, a fast and memory-efficient approach for computing message authentication codes based on the well-established Carter-Wegman construction. Our key idea is to offload resource-intensive computations to idle phases and thus save valuable time in latency-critical phases, i.e., when new data awaits processing. Therefore, BP-MAC leverages a universal hash function designed for the bitwise preprocessing of integrity protection to later only require a few XOR operations during the latency-critical phase. Our evaluation on embedded hardware shows that BP-MAC outperforms the state-of-the-art in terms of latency and memory overhead, notably for small messages, as required to adequately protect resource-constrained devices with stringent security and latency requirements.
Updated: 2022-05-19 15:52:13
标题: BP-MAC:短消息的快速认证
摘要: 资源受限设备越来越依赖无线通信来可靠和低延迟地传输短消息。然而,特别是对时间关键消息进行充分完整性保护的实现给这些设备带来了重大负担。我们通过提出BP-MAC来解决这个问题,这是一种基于广为认可的Carter-Wegman构造的快速和内存高效的消息认证码计算方法。我们的关键思想是将资源密集型计算卸载到空闲阶段,从而在延迟关键阶段节省宝贵的时间,即当新数据等待处理时。因此,BP-MAC利用了一种通用的哈希函数,设计用于完整性保护的位预处理,后续在延迟关键阶段仅需要进行少量XOR操作。我们在嵌入式硬件上的评估显示,BP-MAC在延迟和内存开销方面优于最先进技术,特别是对于小消息,这是适当保护有严格安全性和延迟要求的资源受限设备所必需的。
更新时间: 2022-05-19 15:52:13
领域: cs.CR
Focused Adversarial Attacks
Recent advances in machine learning show that neural models are vulnerable to minimally perturbed inputs, or adversarial examples. Adversarial algorithms are optimization problems that minimize the accuracy of ML models by perturbing inputs, often using a model's loss function to craft such perturbations. State-of-the-art object detection models are characterized by very large output manifolds due to the number of possible locations and sizes of objects in an image. This leads to their outputs being sparse and optimization problems that use them incur a lot of unnecessary computation. We propose to use a very limited subset of a model's learned manifold to compute adversarial examples. Our \textit{Focused Adversarial Attacks} (FA) algorithm identifies a small subset of sensitive regions to perform gradient-based adversarial attacks. FA is significantly faster than other gradient-based attacks when a model's manifold is sparsely activated. Also, its perturbations are more efficient than other methods under the same perturbation constraints. We evaluate FA on the COCO 2017 and Pascal VOC 2007 detection datasets.
Updated: 2022-05-19 15:38:23
标题: 集中的对抗性攻击
摘要: 最近机器学习方面的进展表明,神经模型对微小扰动输入或对抗性示例是脆弱的。对抗性算法是通过扰动输入最小化ML模型的准确性的优化问题,通常使用模型的损失函数来制造这种扰动。最先进的目标检测模型具有非常大的输出流形,因为图像中可能的物体位置和大小的数量。这导致它们的输出稀疏,并且使用它们会产生大量不必要的计算的优化问题。 我们提出使用模型学习流形的非常有限的子集来计算对抗性示例。我们的“专注对抗性攻击”(FA)算法识别一小部分敏感区域以执行基于梯度的对抗性攻击。当模型的流形稀疏激活时,FA比其他基于梯度的攻击快得多。此外,在相同的扰动约束条件下,它的扰动比其他方法更有效。我们在COCO 2017和Pascal VOC 2007检测数据集上评估FA。
更新时间: 2022-05-19 15:38:23
领域: cs.LG,cs.CR,cs.CV,cs.NE
Security Analysis of DeFi: Vulnerabilities, Attacks and Advances
Decentralized finance (DeFi) in Ethereum is a financial ecosystem built on the blockchain that has locked over 200 billion USD until April 2022. All transaction information is transparent and open when transacting through the DeFi protocol, which has led to a series of attacks. Several studies have attempted to optimize it from both economic and technical perspectives. However, few works analyze the vulnerabilities and optimizations of the entire DeFi system. In this paper, we first systematically analyze vulnerabilities related to DeFi in Ethereum at several levels, then we investigate real-world attacks. Finally, we summarize the achievements of DeFi optimization and provide some future directions.
Updated: 2022-05-19 12:44:11
标题: DeFi的安全分析:漏洞、攻击和进展
摘要: 以太坊中的去中心化金融(DeFi)是建立在区块链上的金融生态系统,截至2022年4月已锁定超过2000亿美元。通过DeFi协议进行交易时,所有交易信息都是透明和公开的,这导致了一系列攻击。一些研究已经尝试从经济和技术角度对其进行优化。然而,很少有作品分析整个DeFi系统的漏洞和优化。本文首先系统地分析了以太坊中DeFi相关的漏洞,然后研究了现实世界中的攻击。最后,我们总结了DeFi优化的成果,并提供了一些未来方向。
更新时间: 2022-05-19 12:44:11
领域: cs.CR
Differentially private Riemannian optimization
In this paper, we study the differentially private empirical risk minimization problem where the parameter is constrained to a Riemannian manifold. We introduce a framework of differentially private Riemannian optimization by adding noise to the Riemannian gradient on the tangent space. The noise follows a Gaussian distribution intrinsically defined with respect to the Riemannian metric. We adapt the Gaussian mechanism from the Euclidean space to the tangent space compatible to such generalized Gaussian distribution. We show that this strategy presents a simple analysis as compared to directly adding noise on the manifold. We further show privacy guarantees of the proposed differentially private Riemannian (stochastic) gradient descent using an extension of the moments accountant technique. Additionally, we prove utility guarantees under geodesic (strongly) convex, general nonconvex objectives as well as under the Riemannian Polyak-{\L}ojasiewicz condition. We show the efficacy of the proposed framework in several applications.
Updated: 2022-05-19 12:04:15
标题: 差分隐私黎曼优化
摘要: 在这篇论文中,我们研究了参数受限于黎曼流形的差分私有经验风险最小化问题。我们引入了一个通过向切空间的黎曼梯度添加噪声来实现差分私有黎曼优化的框架。该噪声遵循与黎曼度量相关的内在定义的高斯分布。我们将高斯机制从欧几里德空间调整到与这种广义高斯分布兼容的切空间。我们展示了与在流形上直接添加噪声相比,这种策略的简单分析。我们进一步展示了通过扩展时刻会计技术,所提出的差分私有黎曼(随机)梯度下降的隐私保证。此外,我们证明了在测地(强)凸、一般非凸目标以及黎曼Polyak-{\L}ojasiewicz条件下的效用保证。我们展示了在几个应用中所提出框架的有效性。
更新时间: 2022-05-19 12:04:15
领域: math.OC,cs.CR,cs.LG,stat.ML
Dockerized Android: a container-based platform to build mobile Android scenarios for Cyber Ranges
The best way to train people about security is through Cyber Ranges, i.e., the virtual platform used by cyber-security experts to learn new skills and attack vectors. In order to realize such virtual scenarios, container-based virtualization is commonly adopted, as it provides several benefits in terms of performance, resource usage, and portability. Unfortunately, the current generation of Cyber Ranges does not consider mobile devices, which nowadays are ubiquitous in our daily lives. Such devices do often represent the very first entry point for hackers into target networks. It is thus important to make available tools allowing to emulate mobile devices in a safe environment without incurring the risk of causing any damage in the real world. This work aims to propose Dockerized Android, i.e., a framework that addresses the problem of realizing vulnerable environments for mobile devices in the next generation of Cyber Ranges. We show the platform's design and implementation and show how it is possible to use the implemented features to realize complex virtual mobile kill-chains scenarios.
Updated: 2022-05-19 12:02:03
标题: Docker化的安卓:一个基于容器的平台,用于构建移动安卓场景的网络射击训练场。
摘要: 最好的安全培训方法是通过网络射击场(Cyber Ranges),即网络安全专家用来学习新技能和攻击向量的虚拟平台。为了实现这样的虚拟场景,通常采用基于容器的虚拟化技术,因为它在性能、资源使用和可移植性方面提供了几个优点。不幸的是,当前一代的网络射击场并没有考虑移动设备,而这些设备在我们日常生活中无处不在。这些设备往往是黑客进入目标网络的第一个入口。因此,重要的是提供工具,允许在安全环境中模拟移动设备,而不会在现实世界中造成任何损害。本文旨在提出Docker化的Android,即一个框架,解决了在下一代网络射击场中实现移动设备的易受攻击环境这一问题。我们展示了平台的设计和实施,并展示了如何使用已实现的功能来实现复杂的虚拟移动设备杀链场景。
更新时间: 2022-05-19 12:02:03
领域: cs.CR
Differential Privacy: What is all the noise about?
Differential Privacy (DP) is a formal definition of privacy that provides rigorous guarantees against risks of privacy breaches during data processing. It makes no assumptions about the knowledge or computational power of adversaries, and provides an interpretable, quantifiable and composable formalism. DP has been actively researched during the last 15 years, but it is still hard to master for many Machine Learning (ML)) practitioners. This paper aims to provide an overview of the most important ideas, concepts and uses of DP in ML, with special focus on its intersection with Federated Learning (FL).
Updated: 2022-05-19 10:12:29
标题: 差分隐私:为什么这么吵闹?
摘要: 差分隐私(DP)是隐私的一个正式定义,它提供了严格的保证,防止数据处理过程中隐私泄震的风险。它不对对手的知识或计算能力做任何假设,并提供了一种可解释、可量化和可组合的形式化表达。在过去的15年里,DP一直受到积极研究,但对许多机器学习(ML)从业者来说仍然难以掌握。本文旨在概述DP在ML中最重要的思想、概念和用途,特别关注其与联邦学习(FL)的交叉点。
更新时间: 2022-05-19 10:12:29
领域: cs.CR,cs.AI,cs.LG,68T99
Twenty-two years since revealing cross-site scripting attacks: a systematic mapping and a comprehensive survey
Cross-site scripting (XSS) is one of the major threats menacing the privacy of data and the navigation of trusted web applications. Since its reveal in late 1999 by Microsoft security engineers, several techniques have been developed in the aim to secure web navigation and protect web applications against XSS attacks. The problem became worse with the emergence of advanced web technologies such as Web services and APIs and new programming styles such as AJAX, CSS3 and HTML5. While new technologies enable complex interactions and data exchanges between clients and servers in the network, new programming styles introduce new and complicate injection flaws to web applications. XSS has been and still in the TOP 10 list of web vulnerabilities reported by the Open Web Applications Security Project (OWASP). Consequently, handling XSS attacks became one of the major concerns of several web security communities. In this paper, we contribute by conducting a systematic mapping and a comprehensive survey. We summarize and categorize existent endeavors that aim to protect against XSS attacks and develop XSS-free web applications. The present review covers 147 high quality published studies since 1999 including early publications of 2022. A comprehensive taxonomy is drawn out describing the different techniques used to prevent, detect, protect and defend against XSS attacks. Although the diversity of XSS attack types and the scripting languages that can be used to state them, the systematic mapping revealed a remarkable bias toward basic and JavaScript XSS attacks and a dearth of vulnerability repair mechanisms. The survey highlighted the limitations, discussed the potentials of existing XSS attack defense mechanisms and identified potential gaps.
Updated: 2022-05-19 09:18:45
标题: 自从揭示跨站脚本攻击以来已经22年:系统映射和全面调查
摘要: 跨站脚本攻击(XSS)是威胁数据隐私和受信任的Web应用程序导航的主要威胁之一。自1999年末由微软安全工程师揭示以来,已经开发了几种技术,旨在保护Web导航并防止Web应用程序受到XSS攻击。随着Web服务和API等先进Web技术的出现以及新编程风格如AJAX、CSS3和HTML5,问题变得更加严重。虽然新技术使客户端和服务器在网络中进行复杂的交互和数据交换,新的编程风格引入了新的和复杂的注入漏洞到Web应用程序中。XSS一直是开放Web应用程序安全项目(OWASP)报告的Web漏洞前十名中的一员。因此,处理XSS攻击已成为几个Web安全社区的主要关注点之一。在本文中,我们通过进行系统映射和全面调查做出贡献。我们总结和分类现有的努力,旨在保护免受XSS攻击并开发无XSS的Web应用程序。本综述涵盖了自1999年以来发表的147篇高质量研究,包括2022年的早期出版物。绘制了一份详尽的分类法,描述了用于预防、检测、保护和抵御XSS攻击的不同技术。尽管XSS攻击类型的多样性和可能用于陈述它们的脚本语言,但系统映射揭示了对基本和JavaScript XSS攻击的显着偏见以及缺乏漏洞修复机制。调查突显了限制,并讨论了现有XSS攻击防御机制的潜力,并确定了潜在的差距。
更新时间: 2022-05-19 09:18:45
领域: cs.CR
Cracking White-box DNN Watermarks via Invariant Neuron Transforms
Recently, how to protect the Intellectual Property (IP) of deep neural networks (DNN) becomes a major concern for the AI industry. To combat potential model piracy, recent works explore various watermarking strategies to embed secret identity messages into the prediction behaviors or the internals (e.g., weights and neuron activation) of the target model. Sacrificing less functionality and involving more knowledge about the target model, the latter branch of watermarking schemes (i.e., white-box model watermarking) is claimed to be accurate, credible and secure against most known watermark removal attacks, with emerging research efforts and applications in the industry. In this paper, we present the first effective removal attack which cracks almost all the existing white-box watermarking schemes with provably no performance overhead and no required prior knowledge. By analyzing these IP protection mechanisms at the granularity of neurons, we for the first time discover their common dependence on a set of fragile features of a local neuron group, all of which can be arbitrarily tampered by our proposed chain of invariant neuron transforms. On $9$ state-of-the-art white-box watermarking schemes and a broad set of industry-level DNN architectures, our attack for the first time reduces the embedded identity message in the protected models to be almost random. Meanwhile, unlike known removal attacks, our attack requires no prior knowledge on the training data distribution or the adopted watermark algorithms, and leaves model functionality intact.
Updated: 2022-05-19 07:28:53
标题: 通过不变神经元转换破解白盒DNN水印
摘要: 最近,如何保护深度神经网络(DNN)的知识产权(IP)已成为人工智能行业的主要关注点。为了对抗潜在的模型盗版,最近的研究探索了各种水印策略,将秘密身份信息嵌入到目标模型的预测行为或内部(例如权重和神经元激活)中。牺牲较少的功能性并涉及更多关于目标模型的知识,后一种水印方案(即白箱模型水印)被声称是准确、可信且安全的,能够抵抗大多数已知的水印移除攻击,并在行业中出现了新的研究努力和应用。 在本文中,我们提出了第一个有效的移除攻击,可以破解几乎所有现有的白箱水印方案,无需任何性能开销或先验知识。通过在神经元粒度上分析这些IP保护机制,我们首次发现它们共同依赖于本地神经元组的一组脆弱特征,所有这些特征都可以通过我们提出的不变神经元变换链任意篡改。在9种最先进的白箱水印方案和广泛的行业级DNN架构上,我们的攻击首次将受保护模型中嵌入的身份信息几乎变为随机。与已知的移除攻击不同,我们的攻击不需要对训练数据分布或采用的水印算法有任何先验知识,并且保持模型功能完整。
更新时间: 2022-05-19 07:28:53
领域: cs.CR,cs.CV,cs.LG
An Improvement of a Key Exchange Protocol Relying on Polynomial Maps
Akiyama et al. (Int. J. Math. Indust., 2019) proposed a post-quantum key exchange protocol that is based on the hardness of solving a system of multivariate non-linear polynomial equations but has a design strategy different from ordinary multivariate cryptography. Their protocol has two versions, an original one and a modified one, where the modified one has a trade-off that its security is strengthened while it has non-zero error probability in establishing a common key. In fact, the evaluation in their paper suggests that the probability of failing to establish a common key by the modified protocol with the proposed parameter set is impractically high. In this paper, we improve the success probability of Akiyama et al.'s modified key exchange protocol significantly while keeping the security, by restricting each component of the correct common key from the whole of the coefficient field to its small subset. We give theoretical and experimental evaluations showing that our proposed parameter set for our protocol is expected to achieve both failure probability $2^{-120}$ and $128$-bit security level.
Updated: 2022-05-19 07:20:07
标题: 一个依赖于多项式映射的密钥交换协议的改进
摘要: Akiyama等人(Int. J. Math. Indust., 2019)提出了一种基于解决多元非线性多项式方程组困难性的后量子密钥交换协议,但其设计策略与普通多元密码学不同。他们的协议有两个版本,一个原始版本和一个修改版本,其中修改版本在加强安全性的同时具有建立共同密钥时的非零错误概率。实际上,他们的论文中的评估表明,使用建议的参数集进行修改后的协议建立共同密钥失败的概率非常高,从而变得不切实际。在本文中,我们通过将正确的共同密钥的每个组件限制在其系数域的小子集上,显著提高了Akiyama等人修改后的密钥交换协议的成功概率,同时保持安全性。我们提供了理论和实验评估,表明我们提出的协议的参数集预计可以实现失败概率为$2^{-120}$和128位安全级别。
更新时间: 2022-05-19 07:20:07
领域: cs.CR,94A60
MetaV: A Meta-Verifier Approach to Task-Agnostic Model Fingerprinting
For model piracy forensics, previous model fingerprinting schemes are commonly based on adversarial examples constructed for the owner's model as the \textit{fingerprint}, and verify whether a suspect model is indeed pirated from the original model by matching the behavioral pattern on the fingerprint examples between one another. However, these methods heavily rely on the characteristics of classification tasks which inhibits their application to more general scenarios. To address this issue, we present MetaV, the first task-agnostic model fingerprinting framework which enables fingerprinting on a much wider range of DNNs independent from the downstream learning task, and exhibits strong robustness against a variety of ownership obfuscation techniques. Specifically, we generalize previous schemes into two critical design components in MetaV: the \textit{adaptive fingerprint} and the \textit{meta-verifier}, which are jointly optimized such that the meta-verifier learns to determine whether a suspect model is stolen based on the concatenated outputs of the suspect model on the adaptive fingerprint. As a key of being task-agnostic, the full process makes no assumption on the model internals in the ensemble only if they have the same input and output dimensions. Spanning classification, regression and generative modeling, extensive experimental results validate the substantially improved performance of MetaV over the state-of-the-art fingerprinting schemes and demonstrate the enhanced generality of MetaV for providing task-agnostic fingerprinting. For example, on fingerprinting ResNet-18 trained for skin cancer diagnosis, MetaV achieves simultaneously $100\%$ true positives and $100\%$ true negatives on a diverse test set of $70$ suspect models, achieving an about $220\%$ relative improvement in ARUC in comparison to the optimal baseline.
Updated: 2022-05-19 07:16:31
标题: MetaV:一种面向任务不可知模型指纹识别的元验证器方法
摘要: 对于模型盗版取证,先前的模型指纹方案通常基于为所有者的模型构建的对抗性示例作为“指纹”,并通过匹配指纹示例之间的行为模式来验证可疑模型是否确实从原始模型盗版。然而,这些方法严重依赖于分类任务的特征,这限制了它们在更一般的场景中的应用。为了解决这个问题,我们提出了MetaV,这是第一个任务无关的模型指纹框架,可以在更广泛范围的深度神经网络上进行指纹识别,独立于下游学习任务,并且对各种所有权混淆技术表现出强大的鲁棒性。具体而言,我们将先前的方案概括为MetaV中的两个关键设计组件:自适应指纹和元验证器,这两者共同优化,使得元验证器能够根据可疑模型在自适应指纹上的连接输出来学习确定可疑模型是否被盗版。作为任务无关的关键,整个过程对集合中的模型内部不做任何假设,只要它们具有相同的输入和输出维度。跨分类、回归和生成建模,大量实验结果验证了MetaV相对于最先进的指纹方案显著改进的性能,并展示了MetaV提供任务无关指纹识别的增强普适性。例如,在针对皮肤癌诊断训练的ResNet-18的指纹识别中,MetaV在一个包含70个可疑模型的多样化测试集上同时实现了100%的真正例和100%的真负例,与最佳基线相比,ARUC相对改进约为220%。
更新时间: 2022-05-19 07:16:31
领域: cs.CR
Morse-STF: Improved Protocols for Privacy-Preserving Machine Learning
Secure multi-party computation enables multiple mutually distrusting parties to perform computations on data without revealing the data itself, and has become one of the core technologies behind privacy-preserving machine learning. In this work, we present several improved privacy-preserving protocols for both linear and non-linear layers in machine learning. For linear layers, we present an extended beaver triple protocol for bilinear maps that significantly reduces communication of convolution layer. For non-linear layers, we introduce novel protocols for computing the sigmoid and softmax function. Both functions are essential building blocks for machine learning training of classification tasks. Our protocols are both more scalable and robust than prior constructions, and improves runtime performance by 3-17x. Finally, we introduce Morse-STF, an end-to-end privacy-preserving system for machine learning training that leverages all these improved protocols. Our system achieves a 1.8x speedup on logistic regression and 3.9-4.9x speedup on convolutional neural networks compared to prior state-of-the-art systems.
Updated: 2022-05-19 05:17:29
标题: Morse-STF:用于隐私保护机器学习的改进协议
摘要: 安全多方计算使多个相互不信任的参与方能够在不透露数据本身的情况下进行数据计算,已成为保护隐私的机器学习背后的核心技术之一。在这项工作中,我们提出了几种改进的隐私保护协议,用于机器学习中的线性和非线性层。对于线性层,我们提出了一种用于双线性映射的扩展比弗三元协议,显著减少了卷积层的通信量。对于非线性层,我们引入了计算Sigmoid和Softmax函数的新型协议。这两个函数对于机器学习分类任务的训练是至关重要的基本构件。我们的协议比先前的构建更具可伸缩性和鲁棒性,并将运行时性能提高了3-17倍。最后,我们介绍了Morse-STF,这是一个端到端的机器学习训练隐私保护系统,利用了所有这些改进的协议。与先前的最新系统相比,我们的系统在逻辑回归上实现了1.8倍的加速,卷积神经网络实现了3.9-4.9倍的加速。
更新时间: 2022-05-19 05:17:29
领域: cs.CR,cs.LG,math.NT
Quantum Money Generated by Multiple Untrustworthy Banks
While classical money can be copied, it is impossible to copy quantum money in principle, with only the bank that issues it knowing how to generate it, meaning only the bank can make exact copies. Not all reliable banks, such as central banks, will issue quantum money, so there is the possibility that untrustworthy banks are distributing fake or multiple copies of the same quantum money without the users' knowledge. As such, we propose a quantum patchwork money scheme in which banks cannot distribute exact copies to users. This scheme involves multiple banks providing public-key quantum money as shards and generating quantum patchwork money by combining them. The banks can use the quantum patchwork money without completely trusting the other banks. In addition, nonbank users can use safely the quantum patchwork money without trusting any banks potentially focused on self-interest by adding a protocol for monitoring the distribution of copies.
Updated: 2022-05-19 03:21:06
标题: 由多个不可信银行生成的量子货币
摘要: 在原则上,经典货币可以被复制,但量子货币无法被复制,只有发行它的银行知道如何生成它,这意味着只有银行可以制作精确的副本。并非所有可靠的银行,如中央银行,都会发行量子货币,因此存在不可信任的银行分发未经用户知晓的假冒或多个复本的同一量子货币的可能性。因此,我们提出了一种量子拼贴货币方案,其中银行无法向用户分发精确的副本。该方案涉及多个银行提供公钥量子货币作为碎片,并通过将它们组合生成量子拼贴货币。银行可以在不完全信任其他银行的情况下使用量子拼贴货币。此外,非银行用户可以安全地使用量子拼贴货币,而不必信任任何可能以自身利益为重心的银行,通过添加一个监测副本分发的协议。
更新时间: 2022-05-19 03:21:06
领域: quant-ph,cs.CR
Peekaboo: A Hub-Based Approach to Enable Transparency in Data Processing within Smart Homes (Extended Technical Report)
We present Peekaboo, a new privacy-sensitive architecture for smart homes that leverages an in-home hub to pre-process and minimize outgoing data in a structured and enforceable manner before sending it to external cloud servers. Peekaboo's key innovations are (1) abstracting common data pre-processing functionality into a small and fixed set of chainable operators, and (2) requiring that developers explicitly declare desired data collection behaviors (e.g., data granularity, destinations, conditions) in an application manifest, which also specifies how the operators are chained together. Given a manifest, Peekaboo assembles and executes a pre-processing pipeline using operators pre-loaded on the hub. In doing so, developers can collect smart home data on a need-to-know basis; third-party auditors can verify data collection behaviors; and the hub itself can offer a number of centralized privacy features to users across apps and devices, without additional effort from app developers. We present the design and implementation of Peekaboo, along with an evaluation of its coverage of smart home scenarios, system performance, data minimization, and example built-in privacy features.
Updated: 2022-05-19 03:13:30
标题: Peekaboo:一种基于中心枢纽的方法,实现智能家居数据处理透明化(扩展技术报告)
摘要: 我们提出了Peekaboo,这是一种新的面向隐私的智能家居架构,利用在家中的中心枢纽对外发出的数据进行预处理和最小化处理,以结构化和可执行的方式发送到外部云服务器。Peekaboo的关键创新点是(1)将常见数据预处理功能抽象为一小组可链接的运算符,并要求开发人员在应用清单中明确声明所需的数据收集行为(例如,数据粒度、目的地、条件),清单还规定了运算符如何链接在一起。根据清单,Peekaboo在中心枢纽上预加载的运算符上组装并执行一个预处理管道。通过这种方式,开发人员可以按需收集智能家居数据;第三方审计员可以验证数据收集行为;而中心枢纽本身可以为用户提供一些集中的隐私功能,跨应用和设备,而无需额外努力从应用开发人员。我们展示了Peekaboo的设计和实现,以及其覆盖智能家庭场景、系统性能、数据最小化和示例内置隐私功能的评估。
更新时间: 2022-05-19 03:13:30
领域: cs.CR,cs.NI,cs.SE
Stop the Spread: A Contextual Integrity Perspective on the Appropriateness of COVID-19 Vaccination Certificates
We present an empirical study exploring how privacy influences the acceptance of vaccination certificate (VC) deployments across different realistic usage scenarios. The study employed the privacy framework of Contextual Integrity, which has been shown to be particularly effective in capturing people's privacy expectations across different contexts. We use a vignette methodology, where we selectively manipulate salient contextual parameters to learn whether and how they affect people's attitudes towards VCs. We surveyed 890 participants from a demographically-stratified sample of the US population to gauge the acceptance and overall attitudes towards possible VC deployments to enforce vaccination mandates and the different information flows VCs might entail. Analysis of results collected as part of this study is used to derive general normative observations about different possible VC practices and to provide guidance for the possible deployments of VCs in different contexts.
Updated: 2022-05-19 00:42:49
标题: Stop the Spread: 从情境整体性角度看COVID-19疫苗接种证书的适用性
摘要: 我们提出了一项实证研究,探讨隐私如何影响不同现实使用场景下接种证书(VC)部署的接受程度。该研究采用了“语境完整性”隐私框架,该框架在捕捉人们在不同语境中的隐私期望方面表现出特别有效。我们使用小品方法,有选择地操纵显著的语境参数,以了解它们是否以及如何影响人们对VC的态度。我们对来自美国人口的人口统计学分层样本的890名参与者进行了调查,以衡量对可能用于执行疫苗接种要求的VC部署以及VC可能涉及的不同信息流的接受度和整体态度。对本研究收集的结果进行的分析被用于得出关于不同可能的VC做法的一般规范观察,并为在不同语境中可能的VC部署提供指导。
更新时间: 2022-05-19 00:42:49
领域: cs.CY,cs.CR,cs.HC,K.4.1